Jump to content

Archived

This topic is now archived and is closed to further replies.

Infractal

SSL Inspection TLS 1.2 Support?

Recommended Posts

Is there a roadmap for adding TLS 1.2 support for SSL inspection? I would also like to see the following forward secrecy ciphers supported to match the Win8.1/10 schannel stack, along with the ability to configure the cipher and protocol config on clients so I can do things like disable RC4 ciphers for my enterprise clients.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Share this post


Link to post
Share on other sites

Hello,

 

TLS 1.2 is supported by our implementation of SSL Protocol checking.

 

Do you have any particular issues with it with current Internet protection module?

 

P.R.

Share this post


Link to post
Share on other sites

After doing a bit more digging, I am noticing that browsers are behaving differently. Qualys tests against IE11 doing SSL inspection show TLS 1.2 support, but Firefox 36 is only going up to TLS 1.1.

 

Is cipher customization a possibility? I'd really like to get those RC4 ciphers pulled out.

Share this post


Link to post
Share on other sites

Hello,

 

yes you are right support for TLS 1.2 in Firefox will be included in Internet protection module 1181+ (not available for users yet).

We will release this module gradually for user, but we do not have any time frame specified yet.

 

P.R.

Share this post


Link to post
Share on other sites

you have ignored his question, why can you not add cipher control to the settings?

 

Also support for HSTS hxxp://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Public Key pinning hxxp://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

Plus manual verification of ceritifcates.

 

I think the HTTPS interception is messy and goes against good security practices.  Its better to just make it so livegrid can work without live http/https interception.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...